Really back out ache's commits. These files are now precisely as they were

twentyfour hours ago, except for RCS ids.
svn path=/head/; revision=89569
2002-01-19 18:29:50 +00:00 · 2002-01-19 18:29:50 +00:00 · 819a142080 · 2020-12-20 02:59:44 +00:00
commit 819a142080
parent 07977587ab
4 changed files with 17 additions and 13 deletions
--- a/etc/pam.d/ftpd
+++ b/etc/pam.d/ftpd
@ -9,8 +9,10 @@ auth		required	pam_nologin.so	no_warn
 #auth		sufficient	pam_kerberosIV.so	no_warn
 #auth		sufficient	pam_krb5.so	no_warn
 #auth           sufficient      pam_ssh.so      no_warn try_first_pass
-#auth		sufficient	pam_opie.so	no_warn
-auth		required	pam_unix.so	no_warn	try_first_pass
+# Uncomment either pam_opie or pam_unix, but not both of them.
+# pam_unix can't be simple chained with pam_opie, ftpd provides proper fallback
+auth		required	pam_opie.so	no_warn
+#auth		required	pam_unix.so	no_warn try_first_pass

 # account
 #account	required	pam_kerberosIV.so
--- a/etc/pam.d/login
+++ b/etc/pam.d/login
@ -6,10 +6,10 @@

 # auth
 auth		required	pam_nologin.so	no_warn
+#auth		sufficient	pam_opie.so	no_warn
 #auth		sufficient	pam_kerberosIV.so	no_warn try_first_pass
 #auth		sufficient	pam_krb5.so	no_warn try_first_pass
 #auth		required	pam_ssh.so	no_warn try_first_pass
-#auth 		sufficient	pam_opie.so	no_warn
 auth		required	pam_unix.so	no_warn try_first_pass

 # account
@ -24,6 +24,7 @@ account		required	pam_unix.so
 session		required	pam_unix.so

 # password
+#password	sufficient	pam_opie.so	no_warn
 #password	sufficient	pam_kerberosIV.so	no_warn try_first_pass
 #password	sufficient	pam_krb5.so	no_warn try_first_pass
 password	required	pam_unix.so	no_warn try_first_pass
--- a/etc/pam.d/su
+++ b/etc/pam.d/su
@ -9,8 +9,8 @@ auth		sufficient	pam_rootok.so	no_warn
 auth		requisite	pam_wheel.so	no_warn auth_as_self noroot_ok
 #auth		sufficient	pam_kerberosIV.so	no_warn
 #auth		sufficient	pam_krb5.so	no_warn try_first_pass auth_as_self
+#auth		required	pam_opie.so	no_warn
 #auth		required	pam_ssh.so	no_warn try_first_pass
-#auth 		sufficient	pam_opie.so	no_warn
 auth		required	pam_unix.so	no_warn try_first_pass nullok
 #auth		sufficient	pam_rootok.so	no_warn
 ##auth		sufficient	pam_kerberosIV.so	no_warn
--- a/libexec/ftpd/ftpd.c
+++ b/libexec/ftpd/ftpd.c
@ -1251,23 +1251,24 @@ pass(passwd)
 		}
 #ifdef USE_PAM
 		rval = auth_pam(&pw, passwd);
-		if (rval >= 0) {
-			opieunlock();
+		opieunlock();   /* XXX */
+		if (rval == 0 || (!pwok && rval > 0))
 			goto skip;
-		}
-#endif
+		xpasswd = crypt(passwd, pw->pw_passwd);
+#else /* !USE_PAM */
 		if (opieverify(&opiedata, passwd) == 0)
 			xpasswd = pw->pw_passwd;
-		else if (pwok) {
+		else if (pwok)
 			xpasswd = crypt(passwd, pw->pw_passwd);
-			if (passwd[0] == '\0' && pw->pw_passwd[0] != '\0')
-				xpasswd = ":";
-		} else {
+		else {
 			rval = 1;
 			goto skip;
 		}
+#endif /* !USE_PAM */
 		rval = strcmp(pw->pw_passwd, xpasswd);
-		if (pw->pw_expire && time(NULL) >= pw->pw_expire)
+		/* The strcmp does not catch null passwords! */
+		if (*pw->pw_passwd == '\0' ||
+		    (pw->pw_expire && time(NULL) >= pw->pw_expire))
 			rval = 1;	/* failure */
 skip:
 		/*